[SOLVED] Error while connecting using https with a java client

#1

Hi,
I have deployed SearchGuard in an ELK stack using the infamous github project :


So I’m using SG6 and ELK 6.7.0
I wrote a Java client I’m reproducing here :

package com.goodbook;

import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;

import javax.net.ssl.SSLContext;

import org.apache.http.HttpHost;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.UsernamePasswordCredentials;
import org.apache.http.client.CredentialsProvider;
import org.apache.http.ssl.SSLContextBuilder;
import org.apache.http.impl.client.BasicCredentialsProvider;
import org.apache.http.ssl.SSLContexts;
import org.elasticsearch.client.RestClient;
import org.elasticsearch.client.RestClientBuilder;
import org.elasticsearch.client.RestHighLevelClient;

public class SSLClient {
  // User auth
  String user = "admin";
  String password = "admin";
  
  // Server business
  String host = "localhost";
  int port = 9200;
  String protocole = "http";
  HttpHost elasticHost = new HttpHost(host, port, protocole);
  RestClientBuilder builder;
  RestHighLevelClient client;
  
  // authroization objects
  CredentialsProvider credentialsProvider;
  String pathToTrustore = "absolutepath/trustore.jks";
  String trustStorePassword = "changeit";
  KeyStore truststore;
  SSLContextBuilder sslBuilder;
  SSLContext sslContext;

  public SSLClient(){
    setUpClient();
  }

  public void setCredentials() {
    credentialsProvider = new BasicCredentialsProvider();
    credentialsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(user, password));
  }

  public void setKeystore() {
    Path toTrustStore = Paths.get(pathToTrustore);
    try (InputStream is = Files.newInputStream(toTrustStore)) {
      truststore = KeyStore.getInstance("jks");
      truststore.load(is, trustStorePassword.toCharArray());
      System.out.println("trustore size : "+truststore.size());
    } catch (NoSuchAlgorithmException | CertificateException | IOException | KeyStoreException e) {
      e.printStackTrace();
    }
  }

  public void setSslcontext() {
    try {
      sslBuilder = SSLContexts.custom().loadTrustMaterial(truststore, null);
      sslContext = sslBuilder.build();
    } catch (NoSuchAlgorithmException | KeyStoreException | KeyManagementException e) {
      e.printStackTrace();
    }
  }

  public void setRestClientBuilder() {
    builder = RestClient.builder(elasticHost);
    builder.setHttpClientConfigCallback(httpClientBuilder -> 
        httpClientBuilder
        .setDefaultCredentialsProvider(credentialsProvider)
        .setSSLContext(sslContext));
    builder.setRequestConfigCallback(
        requestConfigBuilder -> requestConfigBuilder.setConnectTimeout(5000).setSocketTimeout(60000));
  }

  public void setRestClient() {
    client = new RestHighLevelClient(builder);
  }

  public void close() {
    try {
      client.close();
    } catch (IOException e) {
      e.printStackTrace();
    }
  }

  public void setUpClient(){
    setCredentials();
    setKeystore();
    setSslcontext();
    setRestClientBuilder();
    setRestClient();
  }

  public RestHighLevelClient getRestHighLevelClient(){
    return client;
  }
}

It all works fine, I can create an index with the admin user, when I try to create an index in the cluster using a client without Auth, I’m rejected.
My question is : why is it not working when I change the protocole into https ? It works with http protocole, not https.
I’m getting the following error :

[WARNING] 
java.lang.reflect.InvocationTargetException
    at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:498)
    at org.codehaus.mojo.exec.ExecJavaMojo$1.run (ExecJavaMojo.java:297)
    at java.lang.Thread.run (Thread.java:748)
Caused by: java.io.IOException: Unrecognized SSL message, plaintext connection?
    at org.elasticsearch.client.RestClient$SyncResponseListener.get (RestClient.java:964)
    at org.elasticsearch.client.RestClient.performRequest (RestClient.java:233)
    at org.elasticsearch.client.RestHighLevelClient.internalPerformRequest (RestHighLevelClient.java:1764)
    at org.elasticsearch.client.RestHighLevelClient.performRequest (RestHighLevelClient.java:1749)
    at org.elasticsearch.client.RestHighLevelClient.performRequestAndParseEntity (RestHighLevelClient.java:1708)
    at org.elasticsearch.client.IndicesClient.create (IndicesClient.java:152)
    at com.goodbook.ElasticExecuteur.createIndex (ElasticExecuteur.java:25)
    at com.goodbook.App.main (App.java:16)
    at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:498)
    at org.codehaus.mojo.exec.ExecJavaMojo$1.run (ExecJavaMojo.java:297)
    at java.lang.Thread.run (Thread.java:748)
Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
    at sun.security.ssl.EngineInputRecord.bytesInCompletePacket (EngineInputRecord.java:156)
    at sun.security.ssl.SSLEngineImpl.readNetRecord (SSLEngineImpl.java:857)
    at sun.security.ssl.SSLEngineImpl.unwrap (SSLEngineImpl.java:766)
    at javax.net.ssl.SSLEngine.unwrap (SSLEngine.java:624)
    at org.apache.http.nio.reactor.ssl.SSLIOSession.doUnwrap (SSLIOSession.java:273)
    at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake (SSLIOSession.java:328)
    at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady (SSLIOSession.java:509)
    at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady (AbstractIODispatch.java:120)
    at org.apache.http.impl.nio.reactor.BaseIOReactor.readable (BaseIOReactor.java:162)
    at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent (AbstractIOReactor.java:337)
    at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents (AbstractIOReactor.java:315)
    at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute (AbstractIOReactor.java:276)
    at org.apache.http.impl.nio.reactor.BaseIOReactor.execute (BaseIOReactor.java:104)
    at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run (AbstractMultiworkerIOReactor.java:588)
    at java.lang.Thread.run (Thread.java:748)

Anyway thank you for the plugin.

assigned pablo.lescotti #2
#3

Hi,

I’ve tried to reproduce Your issue: got ES 6.7.0, installed SG and demo cluster configuration. I compiled Your code, and I get the opposite results: https works, and HTTP does not (connection is closed).

Could You please attach Your cluster configuration including the keys and certificates?

#4

Hi, thanks for answering,
Ports 9200 and 9300 of ES are open, the client is set to use port 9200


elasticsearch.yml

---
cluster.name: "docker-cluster"
network.host: 0.0.0.0

discovery.zen.minimum_master_nodes: 1

discovery.type: single-node

searchguard.enterprise_modules_enabled: false

searchguard.ssl.transport.keystore_filepath: sg/node-0-keystore.jks
searchguard.ssl.transport.truststore_filepath: sg/truststore.jks
searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.authcz.admin_dn:
  - "CN=kirk,OU=client,O=client,l=tEst,C=De"

sg_config.yml

searchguard:
  dynamic:
    http:
      xff:
        enabled: false
    authc:
      basic_internal_auth_domain:
        http_authenticator:
          type: basic
        authentication_backend:
          type: intern

sg_roles.yml

sg_all_access:
  readonly: true
  cluster:
    - UNLIMITED
  indices:
    '*':
      '*':
        - UNLIMITED
  tenants:
    admin_tenant: RW

sg_readall:
  readonly: true
  cluster:
    - CLUSTER_COMPOSITE_OPS_RO
  indices:
    '*':
      '*':
        - READ

sg_readall_and_monitor:
  cluster:
    - CLUSTER_MONITOR
    - CLUSTER_COMPOSITE_OPS_RO
  indices:
    '*':
      '*':
        - READ

sg_kibana_user:
  readonly: true
  cluster:
    - INDICES_MONITOR
    - CLUSTER_COMPOSITE_OPS
  indices:
    '?kibana':
      '*':
        - MANAGE
        - INDEX
        - READ
        - DELETE
    '?kibana-6':
      '*':
        - MANAGE
        - INDEX
        - READ
        - DELETE
    '?kibana_*':
      '*':
        - MANAGE
        - INDEX
        - READ
        - DELETE
    '?tasks':
      '*':
        - INDICES_ALL
    '?management-beats':
      '*':
        - INDICES_ALL
    '*':
      '*':
        - indices:data/read/field_caps*
        - indices:data/read/xpack/rollup*
        - indices:admin/mappings/get*
        - indices:admin/get

sg_kibana_server:
  readonly: true
  cluster:
      - CLUSTER_MONITOR
      - CLUSTER_COMPOSITE_OPS
      - cluster:admin/xpack/monitoring*
      - indices:admin/template*
      - indices:data/read/scroll*
  indices:
    '?kibana':
      '*':
        - INDICES_ALL
    '?kibana-6':
      '*':
        - INDICES_ALL
    '?kibana_*':
      '*':
        - INDICES_ALL
    '?reporting*':
      '*':
        - INDICES_ALL
    '?monitoring*':
      '*':
        - INDICES_ALL
    '?tasks':
      '*':
        - INDICES_ALL
    '?management-beats*':
      '*':
        - INDICES_ALL
    '*':
      '*':
        - "indices:admin/aliases*"

sg_logstash:
  cluster:
    - CLUSTER_MONITOR
    - CLUSTER_COMPOSITE_OPS
    - indices:admin/template/get
    - indices:admin/template/put
  indices:
    'logstash-*':
      '*':
        - CRUD
        - CREATE_INDEX
    '*beat*':
      '*':
        - CRUD
        - CREATE_INDEX

sg_manage_snapshots:
  cluster:
    - MANAGE_SNAPSHOTS
  indices:
    '*':
      '*':
        - "indices:data/write/index"
        - "indices:admin/create"

sg_own_index:
  cluster:
    - CLUSTER_COMPOSITE_OPS
  indices:
    '${user_name}':
      '*':
        - INDICES_ALL

sg_xp_monitoring:
  readonly: true
  cluster:
    - cluster:monitor/xpack/info
    - cluster:monitor/main
    - cluster:admin/xpack/monitoring/bulk
  indices:
    '?monitor*':
      '*':
        - INDICES_ALL

sg_xp_alerting:
  readonly: true
  cluster:
    - indices:data/read/scroll
    - cluster:admin/xpack/watcher*
    - cluster:monitor/xpack/watcher*
  indices:
    '?watches*':
      '*':
        - INDICES_ALL
    '?watcher-history-*':
      '*':
        - INDICES_ALL
    '?triggered_watches':
      '*':
        - INDICES_ALL
    '*':
      '*':
        - READ
        - indices:admin/aliases/get

sg_xp_machine_learning:
  readonly: true
  cluster:
    - cluster:admin/persistent*
    - cluster:internal/xpack/ml*
    - indices:data/read/scroll*
    - cluster:admin/xpack/ml*
    - cluster:monitor/xpack/ml*
  indices:
    '*':
      '*':
        - READ
        - indices:admin/get*
    '?ml-*':
      '*':
        - "*"

sg_roles_mapping.yml

sg_all_access:
  readonly: true
  backendroles:
    - admin

sg_logstash:
  backendroles:
    - logstash

sg_kibana_server:
  readonly: true
  users:
    - kibanaserver

sg_kibana_user:
  backendroles:
    - kibanauser

sg_readall:
  readonly: true
  backendroles:
    - readall

sg_manage_snapshots:
  readonly: true
  backendroles:
    - snapshotrestore

sg_own_index:
  users:
    - '*'

sg_internal_users.yml.yml

admin:
  readonly: true
  hash: $2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG
  roles:
    - admin

logstash:
  hash: $2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2
  roles:
    - logstash

kibanaserver:
  readonly: true
  hash: $2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H.

kibanaro:
  hash: $2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC
  roles:
    - kibanauser
    - readall

readall:
  hash: $2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2
  roles:
    - readall

snapshotrestore:
  hash: $2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W
  roles:
    - snapshotrestore

sg_action_groups.yml

UNLIMITED:
  readonly: true
  permissions:
    - "*"

###### INDEX LEVEL ######

INDICES_ALL:
  readonly: true
  permissions:
    - "indices:*"

# for backward compatibility
ALL:
  readonly: true
  permissions:
    - INDICES_ALL

MANAGE:
  readonly: true
  permissions:
    - "indices:monitor/*"
    - "indices:admin/*"

CREATE_INDEX:
  readonly: true
  permissions:
    - "indices:admin/create"
    - "indices:admin/mapping/put"

MANAGE_ALIASES:
  readonly: true
  permissions:
    - "indices:admin/aliases*"

# for backward compatibility
MONITOR:
  readonly: true
  permissions:
    - INDICES_MONITOR

INDICES_MONITOR:
  readonly: true
  permissions:
    - "indices:monitor/*"

DATA_ACCESS:
  readonly: true
  permissions:
    - "indices:data/*"
    - CRUD

WRITE:
  readonly: true
  permissions:
    - "indices:data/write*"
    - "indices:admin/mapping/put"

READ:
  readonly: true
  permissions:
    - "indices:data/read*"
    - "indices:admin/mappings/fields/get*"

DELETE:
  readonly: true
  permissions:
    - "indices:data/write/delete*"

CRUD:
  readonly: true
  permissions:
    - READ
    - WRITE

SEARCH:
  readonly: true
  permissions:
    - "indices:data/read/search*"
    - "indices:data/read/msearch*"
    - SUGGEST

SUGGEST:
  readonly: true
  permissions:
    - "indices:data/read/suggest*"

INDEX:
  readonly: true
  permissions:
    - "indices:data/write/index*"
    - "indices:data/write/update*"
    - "indices:admin/mapping/put"
    - "indices:data/write/bulk*"

GET:
  readonly: true
  permissions:
    - "indices:data/read/get*"
    - "indices:data/read/mget*"

CLUSTER_ALL:
  readonly: true
  permissions:
    - "cluster:*"

CLUSTER_MONITOR:
  readonly: true
  permissions:
    - "cluster:monitor/*"

CLUSTER_COMPOSITE_OPS_RO:
  readonly: true
  permissions:
    - "indices:data/read/mget"
    - "indices:data/read/msearch"
    - "indices:data/read/mtv"
    - "indices:data/read/coordinate-msearch*"
    - "indices:admin/aliases/exists*"
    - "indices:admin/aliases/get*"
    - "indices:data/read/scroll"

CLUSTER_COMPOSITE_OPS:
  readonly: true
  permissions:
    - "indices:data/write/bulk"
    - "indices:admin/aliases*"
    - "indices:data/write/reindex"
    - CLUSTER_COMPOSITE_OPS_RO

MANAGE_SNAPSHOTS:
  readonly: true
  permissions:
    - "cluster:admin/snapshot/*"
    - "cluster:admin/repository/*"

trustore.jks

Nom d'alias : root-ca-chain
Date de création : 5 mai 2018
Type d'entrée : trustedCertEntry

Propriétaire : CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com
Emetteur : CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com
Numéro de série : 1
Valide du Sat May 05 16:37:08 CEST 2018 au Thu May 04 16:37:08 CEST 2028
Empreintes du certificat :
	 SHA 1: 88:48:14:ED:9B:8E:AE:67:7A:FA:4E:9C:F7:6E:B2:8A:BE:79:D5:67
	 SHA 256: CE:31:A5:D1:66:B7:8B:BF:D3:32:0F:BB:3B:49:0C:B2:42:CD:49:0B:7D:61:58:18:FC:D3:7E:63:AF:2E:82:89
Nom de l'algorithme de signature : SHA256withRSA
Algorithme de clé publique du sujet : Clé RSA 2048 bits
Version : 3

Extensions : 

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 5B C7 B9 B0 46 EE FF F6   42 E6 5E E4 CF 12 F8 57  [...F...B.^....W
0010: 4C 6A 30 15                                        Lj0.
]
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 5B C7 B9 B0 46 EE FF F6   42 E6 5E E4 CF 12 F8 57  [...F...B.^....W
0010: 4C 6A 30 15                                        Lj0.
]
]



*******************************************
*******************************************

kirkstore.jsk

Nom d'alias : kirk
Date de création : 5 mai 2018
Type d'entrée : PrivateKeyEntry
Longueur de chaîne du certificat : 3
Certificat[1]:
Propriétaire : CN=kirk, OU=client, O=client, L=Test, C=DE
Emetteur : CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com
Numéro de série : 8
Valide du Sat May 05 16:37:16 CEST 2018 au Tue May 02 16:37:16 CEST 2028
Empreintes du certificat :
	 SHA 1: 6E:0E:84:11:74:CF:5F:8E:EC:55:99:DF:D4:3B:66:28:1E:24:E2:B7
	 SHA 256: 1B:97:6A:DF:B3:4C:66:BE:C4:DB:3D:29:65:FC:FF:4F:2B:38:6C:55:05:E5:B2:B8:44:5E:35:A4:FE:A2:C5:89
Nom de l'algorithme de signature : SHA256withRSA
Algorithme de clé publique du sujet : Clé RSA 2048 bits
Version : 3

Extensions : 

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 94 77 E2 93 31 0B 3F B6   E7 CB E5 8E 6A 44 A4 C4  .w..1.?.....jD..
0010: E3 04 C1 E0                                        ....
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#3: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: https://raw.githubusercontent.com/floragunncom/unittest-assets/master/revoked.crl]
]]

#4: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

#5: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

#6: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 39 7C F6 B5 FB 49 2E 05   97 FA 1C 1B B4 99 88 B4  9....I..........
0010: 2D 27 27 C7                                        -''.
]
]

Certificat[2]:
Propriétaire : CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com
Emetteur : CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com
Numéro de série : 2
Valide du Sat May 05 16:37:08 CEST 2018 au Thu May 04 16:37:08 CEST 2028
Empreintes du certificat :
	 SHA 1: 22:86:BF:91:83:D9:FA:30:FB:34:35:04:7A:75:57:7D:24:95:C5:49
	 SHA 256: 4E:BE:1F:75:3D:D4:92:53:7B:74:C7:0A:6A:3D:57:14:A2:C7:01:ED:06:B0:E0:BC:8F:7F:C6:6F:87:8E:E3:5E
Nom de l'algorithme de signature : SHA256withRSA
Algorithme de clé publique du sujet : Clé RSA 2048 bits
Version : 3

Extensions : 

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 5B C7 B9 B0 46 EE FF F6   42 E6 5E E4 CF 12 F8 57  [...F...B.^....W
0010: 4C 6A 30 15                                        Lj0.
]
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]

#3: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 94 77 E2 93 31 0B 3F B6   E7 CB E5 8E 6A 44 A4 C4  .w..1.?.....jD..
0010: E3 04 C1 E0                                        ....
]
]

Certificat[3]:
Propriétaire : CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com
Emetteur : CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com
Numéro de série : 1
Valide du Sat May 05 16:37:08 CEST 2018 au Thu May 04 16:37:08 CEST 2028
Empreintes du certificat :
	 SHA 1: 88:48:14:ED:9B:8E:AE:67:7A:FA:4E:9C:F7:6E:B2:8A:BE:79:D5:67
	 SHA 256: CE:31:A5:D1:66:B7:8B:BF:D3:32:0F:BB:3B:49:0C:B2:42:CD:49:0B:7D:61:58:18:FC:D3:7E:63:AF:2E:82:89
Nom de l'algorithme de signature : SHA256withRSA
Algorithme de clé publique du sujet : Clé RSA 2048 bits
Version : 3

Extensions : 

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 5B C7 B9 B0 46 EE FF F6   42 E6 5E E4 CF 12 F8 57  [...F...B.^....W
0010: 4C 6A 30 15                                        Lj0.
]
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 5B C7 B9 B0 46 EE FF F6   42 E6 5E E4 CF 12 F8 57  [...F...B.^....W
0010: 4C 6A 30 15                                        Lj0.
]
]



*******************************************
*******************************************

node-0-keystore.jks

Nom d'alias : node-0
Date de création : 5 mai 2018
Type d'entrée : PrivateKeyEntry
Longueur de chaîne du certificat : 3
Certificat[1]:
Propriétaire : CN=node-0.example.com, OU=SSL, O=Test, L=Test, C=DE
Emetteur : CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com
Numéro de série : 1
Valide du Sat May 05 16:37:09 CEST 2018 au Tue May 02 16:37:09 CEST 2028
Empreintes du certificat :
	 SHA 1: 55:A2:56:D5:8D:61:71:8D:D6:CC:63:B3:4C:17:4A:63:F0:25:97:D4
	 SHA 256: 69:91:03:9F:12:1E:DC:02:88:3D:23:74:58:4F:20:FC:D9:44:C0:77:DD:D6:8E:18:10:C6:BC:90:FC:3E:04:17
Nom de l'algorithme de signature : SHA256withRSA
Algorithme de clé publique du sujet : Clé RSA 2048 bits
Version : 3

Extensions : 

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 94 77 E2 93 31 0B 3F B6   E7 CB E5 8E 6A 44 A4 C4  .w..1.?.....jD..
0010: E3 04 C1 E0                                        ....
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#3: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: https://raw.githubusercontent.com/floragunncom/unittest-assets/master/revoked.crl]
]]

#4: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

#5: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

#6: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: node-0.example.com
  DNSName: localhost
  IPAddress: 127.0.0.1
  OIDName: 1.2.3.4.5.5
]

#7: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 7C 5C 3A EA A6 65 AC 10   6A 66 9D F3 F7 B0 87 45  .\:..e..jf.....E
0010: 4C E6 7B 5C                                        L..\
]
]

Certificat[2]:
Propriétaire : CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com
Emetteur : CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com
Numéro de série : 2
Valide du Sat May 05 16:37:08 CEST 2018 au Thu May 04 16:37:08 CEST 2028
Empreintes du certificat :
	 SHA 1: 22:86:BF:91:83:D9:FA:30:FB:34:35:04:7A:75:57:7D:24:95:C5:49
	 SHA 256: 4E:BE:1F:75:3D:D4:92:53:7B:74:C7:0A:6A:3D:57:14:A2:C7:01:ED:06:B0:E0:BC:8F:7F:C6:6F:87:8E:E3:5E
Nom de l'algorithme de signature : SHA256withRSA
Algorithme de clé publique du sujet : Clé RSA 2048 bits
Version : 3

Extensions : 

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 5B C7 B9 B0 46 EE FF F6   42 E6 5E E4 CF 12 F8 57  [...F...B.^....W
0010: 4C 6A 30 15                                        Lj0.
]
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]

#3: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 94 77 E2 93 31 0B 3F B6   E7 CB E5 8E 6A 44 A4 C4  .w..1.?.....jD..
0010: E3 04 C1 E0                                        ....
]
]

Certificat[3]:
Propriétaire : CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com
Emetteur : CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com
Numéro de série : 1
Valide du Sat May 05 16:37:08 CEST 2018 au Thu May 04 16:37:08 CEST 2028
Empreintes du certificat :
	 SHA 1: 88:48:14:ED:9B:8E:AE:67:7A:FA:4E:9C:F7:6E:B2:8A:BE:79:D5:67
	 SHA 256: CE:31:A5:D1:66:B7:8B:BF:D3:32:0F:BB:3B:49:0C:B2:42:CD:49:0B:7D:61:58:18:FC:D3:7E:63:AF:2E:82:89
Nom de l'algorithme de signature : SHA256withRSA
Algorithme de clé publique du sujet : Clé RSA 2048 bits
Version : 3

Extensions : 

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 5B C7 B9 B0 46 EE FF F6   42 E6 5E E4 CF 12 F8 57  [...F...B.^....W
0010: 4C 6A 30 15                                        Lj0.
]
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 5B C7 B9 B0 46 EE FF F6   42 E6 5E E4 CF 12 F8 57  [...F...B.^....W
0010: 4C 6A 30 15                                        Lj0.
]
]



*******************************************
*******************************************

#5

Could You please attach configuration in a form of .zip of files? I would like to test it with Your keystore .jks files. Copy-pasted binary files into text will not work.

#6

sg_config.zip (13.5 KB)

I have attached the config files, thanks for your time.
If you want to test this quickly, I think the best is to clone the search guard branch of this repo :

#7

Thanks for a zip containing config files. I am still missing trustStorePassword.
The good thing is that without a valid trustStorePassword I’ve reproduced the same behavior as the one described by You. When I try to connect with https, I get:

Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection? 

I get an error as my truststore password is invalid. Please check Your password and let me know if this helped.

#8

Hi,
myvbad, trustStorePassword is “changeit”;

Here is the code I execute with my client :

public class App {
  public static void main(String[] args) throws IOException
  {
    SSLClient client = new SSLClient();
    String index = "debug-index";
    CreateIndexRequest request = new CreateIndexRequest(index);
    client.getRestHighLevelClient().indices().create(request, RequestOptions.DEFAULT);
    client.close();
  }
}

Now here are three tests

  1. With the wrong password, “changeme” for instance, and protocole = “http”, I got
java.io.IOException: Keystore was tampered with, or password was incorrect

and no index is created (all fine).

  1. With the good password (“changeit”) and protocole = “http”, I got my “debug-index” created, no warning or error of any kind

  2. With the good password (“changeit”) and protocole = “https”, “debug-index” is not created and the output is

[WARNING] 
java.lang.reflect.InvocationTargetException
    at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:498)
    at org.codehaus.mojo.exec.ExecJavaMojo$1.run (ExecJavaMojo.java:297)
    at java.lang.Thread.run (Thread.java:748)
Caused by: java.io.IOException: Unrecognized SSL message, plaintext connection?
    at org.elasticsearch.client.RestClient$SyncResponseListener.get (RestClient.java:964)
    at org.elasticsearch.client.RestClient.performRequest (RestClient.java:233)
    at org.elasticsearch.client.RestHighLevelClient.internalPerformRequest (RestHighLevelClient.java:1764)
    at org.elasticsearch.client.RestHighLevelClient.performRequest (RestHighLevelClient.java:1749)
    at org.elasticsearch.client.RestHighLevelClient.performRequestAndParseEntity (RestHighLevelClient.java:1708)
    at org.elasticsearch.client.IndicesClient.create (IndicesClient.java:152)
    at com.goodbook.App.main (App.java:18)
    at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:498)
    at org.codehaus.mojo.exec.ExecJavaMojo$1.run (ExecJavaMojo.java:297)
    at java.lang.Thread.run (Thread.java:748)
Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
    at sun.security.ssl.EngineInputRecord.bytesInCompletePacket (EngineInputRecord.java:156)
    at sun.security.ssl.SSLEngineImpl.readNetRecord (SSLEngineImpl.java:857)
    at sun.security.ssl.SSLEngineImpl.unwrap (SSLEngineImpl.java:766)
    at javax.net.ssl.SSLEngine.unwrap (SSLEngine.java:624)
    at org.apache.http.nio.reactor.ssl.SSLIOSession.doUnwrap (SSLIOSession.java:273)
    at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake (SSLIOSession.java:328)
    at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady (SSLIOSession.java:509)
    at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady (AbstractIODispatch.java:120)
    at org.apache.http.impl.nio.reactor.BaseIOReactor.readable (BaseIOReactor.java:162)
    at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent (AbstractIOReactor.java:337)
    at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents (AbstractIOReactor.java:315)
    at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute (AbstractIOReactor.java:276)
    at org.apache.http.impl.nio.reactor.BaseIOReactor.execute (BaseIOReactor.java:104)
    at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run (AbstractMultiworkerIOReactor.java:588)
    at java.lang.Thread.run (Thread.java:748)

Are you able to reproduce this behaviour ?

EDIT
I read again your answer, the password I put in the client is the good one so I don’t understand how you get an invalid password.
When I run keytool -v -list -keystore truststore.jks with the password “changeit” i can access the keys in the store so, the password seems good to me…

#9

Thanks for all the configs and password. This time I was able to reproduce the behaviour You’ve described. http worked, https did not, keystore password was correct.

I’ve added some extra config into elasticsearch.yml that configures ssl over http. Your config only contains entries for transport layer (internal ES protocol to communicate between cluster nodes).

The added lines are:

searchguard.ssl.http.keystore_filepath: node-0-keystore.jks
searchguard.ssl.http.truststore_filepath: truststore.jks 
searchguard.ssl.http.enabled: true

After restarting the cluster the java code worked on https.
I hope this time we’are luckier. Let me know if it helps.

#10

Hi pablo,
thanks, the client now works well with those extra lines :slight_smile:
I still got a lot to do to configure Kibana and Logstash but i’m moving forward !